
CLAIMS 

1. Method tor controlling access to protected contents on a 

server, \the method requiring the following components to be 
present : \ 



4 a) a server 

5 b) a client 

6 c) a readen for a mobile security module 

7 d) a security module having at least one protected area for 
i|i 8 storing a\key 

iiji 9 e) a data linie for communications between client and server 
m \ 

i"f|10 characterized by\ the following steps: 

aa) sending to the server of a request to call up protected- 
''Zl2 access conternts 

13 bb) sending from tne server to the client of an 

14 authentication \module to be run in the client 

15 cc) execution of an \ authentication protocol for 

16 authenticating tpe mobile security module and, where 
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appVopriate, its holder by means of the authentication 
modmle 

dd) if tne authentication in step cc) was successful, 

additu-on to the request in step aa) of a session ID which 
was generated in the course of the communications between 
the authentication module and the server 

ee) sending! of the new request to the server application 

ff) checking \ of the session ID in the request to see that it 
is recoraed in the server 

gg) processing of the content requested for transmission and 
searching pf the content for further links to other 
protected- access contents 

hh) addition of\ the session ID to the links identified 

ii) sending of nhe content modified as in step hh) to the 
client- 1 

2. Method according tio claim 1, characterized in that the server 
is a web server anld the protected contents are web pages which 
are called up via a browser by a URL request from a client. 



Method according to claim 1, characterized in that the 
authentication protocol is executed in the followed steps: 

jj) generation of a random number by the server application 
when thd content requested is access -protected and the 
requirements for access have not been satisfied, and 
sending if the random number to the authentication module 

kk) sending of the random number from the authentication 
module to Ithe mobile security module 

11) generation! in the mobile security module of a digital 

signature vmich takes account of the identity number of 
the mobile security module, the random number and the key 
of the mobi]!e security module 

mm) sending of tne digital signature to the server 

nn) checking of tpe correctness of the digital signature 
using the security module of the server. 

Method according to claim 2, characterized in that the server 
application is a servlet and the client authentication module 
is an authentication applet and in that on receipt of a URL 



request tffie servlet checks the URL request for the presence of 
a session |lD and if there is no session ID present sends an 
authentication applet containing a random number to the 
client . 



Method according to claim 1, characterized in that the 
communications between client and server take place via SSL 
(secure socklets layer) as the transmission protocol. 



Method ac 
authenticati 
internet or 
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to claim 4, characterized in that the 
applet communicates with the servlet by 
iliitranet using the TCP/IP protocol. 
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Method according to claim 3, characterized in that the digital 



signature is 
algorithm wij: 
and server, 
algorithm wi 
possession o 



generated by means of a symmetrical encryption 
h the help of a secret key agreed between client 
Dr by means of an asymmetrical encryption 
:h the help of a private key, the server being in 
the public key. 
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Method ac 
symmetrical 
asymmetrical 
curve algoritlhm 



to claim 7, characterized in that the 
ncryption algorithm is DES or triple DES and the 
encryption algorithm is RSA, DSA or an elliptic 
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9. Method a&cording to claim 4, characterized in that if the 

digital djignature does not agree, the servlet sends an error 
message tL the client applet. 



1 10. Method acdording to claim 1, characterized in that a session 

2 ID is generated from a large range of values to prevents its 

3 being discovered by a targeted search. 

1 11. Method according to claim 1, characterized in that the session 

2 ID shows the user to be an authorized person for all requests 

3 within a specified session. 

1 12. Method according to claim 1, characterized in that the session 

2 ID is given a period of validity. 

1 13. Method according to claim 12, characterized in that the 

2 session ID loses! its validity on expiry of a fixed time or 

3 when a session is terminated by means of a log-off page. 
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14 . Method according 
ID generated in s 



access to all the 



o claim 1, characterized in that the session 
ep dd) is recorded in a table and in that 



the presence of an entry in the table is a requirement for 



protected-access pages. 
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1 15. Method according to claim 14, characterized in that when the 

2 validity qf a session ID expires or when a session is 

3 terminated! by means of a log-off page the session ID is 

4 deleted from the table. 



16. Apparatus qomprising at least the following components 
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a) client Icomprising at least: 
aa) a browser 

bb) a computer software product for executing steps aa) , cc) , 

dd) and ee) of the method according to claim 1 
cc) reader flor a mobile security module 
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b) server cbmprising at least: 
aa) a computer software product for executing steps bb) , f f ) , 
gg) , hh) land ii) of the method according to claim 1 
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c) a communications connection between client and server. 



1 17. Apparatus according to claim 16, characterized in that the 

2 server is a web server and in that the communications 

3 connection between client and web server is made by internet 

4 or intranet . 



18. Web server compnising at least: 



a) a npn-volatile memory for storing web pages 

b) a computer software product for executing steps bb) , f f ) , 
gg) 1 hh) and ii) of the method according to claim 1 



1 19. Web servebr according to claim 18, characterized in that a 

2 security module for performing step nn) of the method 

3 according! to claim 1 is also provided. 
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20. Client comprising at least 



aa) a browser 



bb) a comp 



iter software product for executing steps aa) , cc) , 



dd) ana ee) of the method according to claim 1 



21. Client acconding to claim 20, also comprising: 
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a) chip card reader for a mobile security module 

b chip card having a non-volatile, protected memory 

containitng at least : 
aa) a card number 
bb) a cryptographic key. 



1 22. Computer softvykre product which is stored in the internal 

2 memory of a digital computer, comprising items of software 



• 



3 code for executing the method according to claims 1-15 when 

4 the product! is run on the computer. 



r>FQ-iQQQ-nn?^ft 



